Java EE (Java Enterprise Edition) General Discussion

Hu guys.
I wat to secure my JSF application, allowing to view a JSF page only two those user who have rights to do it
There are two securities leves , I want to check:

1) Only logged in users ,should be allowed to view or use JSF pages , besides the login page. If user is not logged/authenticated ( I mean authenticated with user and password )

Once I logged in, I save user information in a JSF session managed bean. I think I can implement a Servelet Filter to JSF and in there , read the before mentioned bean information , and if the bean exists and there is information in its attributes , I let the request go, otherwise I will redirect to login page.

Is this the recommended way to do it ? Do u recommend a better practice ?

2) My application has several functionalities, those functionalities are organized in a menu. The user will select the desired option from the menu.
Now, a menu option might be implemented in several JSF pages, this is because the option might be a multi-page form.

In my application, I will be able to configure menu options to which users are allowed to access to them. This will be configured in a relational database.
Keeping in mind that request is associated to JSF pages and a menu option might be linked to several jsg pages, which path do u recommend to validate ACL ?
I dont want to associate jsf pages to menu option.
I was think to assign to each jsf page , a hard-code code , and this unique code could be linked to a menu option and thus validate if access is permited or not.
I dont know how to implement in JEE the idea I have, How could link each jsf page to a code? , and this code associated to a menu option?
To hard-code a constant in a managed bean used by the jsf page, i guess it is not the best way , I guess it is not always the case? But How about if the bean is could be used in several jsf pages ?